From 122c34e65c7bceb40f7a0e62e8d8e807b770d944 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Wed, 21 Oct 2020 17:35:39 +0100 Subject: [PATCH] Adding validation to pages to protect against screen/page creation with no parameters. --- packages/server/src/api/routes/pages.js | 31 +++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/packages/server/src/api/routes/pages.js b/packages/server/src/api/routes/pages.js index afdacff86b..43293a8911 100644 --- a/packages/server/src/api/routes/pages.js +++ b/packages/server/src/api/routes/pages.js @@ -1,5 +1,7 @@ const Router = require("@koa/router") const StatusCodes = require("../../utilities/statusCodes") +const joiValidator = require("../../middleware/joi-validator") +const Joi = require("joi") const { listScreens, saveScreen, @@ -12,6 +14,33 @@ const { BUILDER } = require("../../utilities/accessLevels") const router = Router() +function generateSaveValidation() { + // prettier-ignore + return joiValidator.body(Joi.object({ + _css: Joi.string().allow(""), + name: Joi.string().required(), + route: Joi.string().required(), + props: Joi.object({ + _id: Joi.string().required(), + _component: Joi.string().required(), + _children: Joi.array().required(), + _instanceName: Joi.string().required(), + _styles: Joi.object().required(), + type: Joi.string().optional(), + table: Joi.string().optional(), + }).required().unknown(true), + }).unknown(true)) +} + +function generatePatchValidation() { + return joiValidator.body( + Joi.object({ + oldname: Joi.string().required(), + newname: Joi.string().required(), + }).unknown(true) + ) +} + router.post( "/_builder/api/:appId/pages/:pageName", authorized(BUILDER), @@ -42,6 +71,7 @@ router.get( router.post( "/_builder/api/:appId/pages/:pagename/screen", authorized(BUILDER), + generateSaveValidation(), async ctx => { ctx.body = await saveScreen( ctx.config, @@ -56,6 +86,7 @@ router.post( router.patch( "/_builder/api/:appname/pages/:pagename/screen", authorized(BUILDER), + generatePatchValidation(), async ctx => { await renameScreen( ctx.config,